NSA director Mike Rogers testified in front of a Senate committee this week, lamenting that the poor ol’ NSA just doesn’t have the “cyber-offensive” capabilities (read: the ability to hack people) it needs to adequately defend the US. How cyber-attacking countries will help cyber-defense is anybody’s guess, but the idea that the NSA is somehow hamstrung is absurd.

Yes, we (or rather, our representatives) are expected to believe the NSA is just barely getting by when it comes to cyber-capabilities. Somehow, backdoors in phone SIM cards, backdoors in networking hardware, backdoors in hard drives, compromised encryption standards, collection points on internet backbones, the cooperation of national security agencies around the world, stealth deployment of malicious spyware, the phone records of pretty much every American, access to major tech company data centers, an arsenal of purchased software and hardware exploits, various odds and ends yet to be disclosed and the full support of the last two administrations just isn't enough. Now, it wants the blessing of lawmakers to do even more than it already does. Which is quite a bit, actually.

The NSA runs sophisticated hacking operations all over the world. A Washington Post report showed that the NSA carried out 231 “offensive” operations in 2011 - and that number has surely grown since then. That report also revealed that the NSA runs a $652m project that has infected tens of thousands of computers with malware.

That was four years ago -- a lifetime when it comes to an agency with the capabilities the NSA possesses. Anyone who believes the current numbers are lower is probably lobbying increased power. And they don't believe it. They'd just act like they do.

Unfortunately, legislators may be in a receptive mood. CISA -- CISPA rebranded -- is back on the table. The recent Sony hack, which caused millions of dollars of embarrassment, has gotten more than a few of them fired up about the oft-deployed term "cybersecurity." Most of those backing this legislation don't seem to have the slightest idea (or just don't care) how much collateral damage it will cause or the extent to which they're looking to expand government power.

The NSA knows, and it wants this bill to sail through unburdened by anything more than its requests for permission to fire.

The bill will do little to stop cyberattacks, but it will do a lot to give the NSA even more power to collect Americans’ communications from tech companies without any legal process whatsoever. The bill’s text was finally released a couple days ago, and, as EFF points out, tucked in the bill were the powers to do the exact type of “offensive” attacks for which Rogers is pining.

In the meantime, Section 215 languishes slightly, as Trevor Timm points out. But that's the least of the NSA's worries. It has tech companies openly opposing its "collect everything" approach. Apple and Google are both being villainized by security and law enforcement agencies for their encryption-by-default plans. More and more broad requests for user data are being challenged, and (eventually) some of the administration's minor surveillance tweaks will be implemented.

Section 215 may die. (Or it may keep on living even in death, thanks to some ambiguous language in the PATRIOT Act.) But I would imagine the bulk phone metadata is no longer a priority for the NSA. It has too many other programs that harvest more and face fewer challenges. The NSA wants to be a major cyberwar player, which is something that will only increase its questionable tactics and domestic surveillance efforts. If it gets its way via CISA, it will be able to make broader and deeper demands for information from tech companies. Under the guise of "information sharing," the NSA will collect more and share less. And what it does share will be buried under redactions, gag orders and chants of "national security." Its partnerships with tech companies will bear a greater resemblance to parasitic relationships than anything approaching equitable, especially when these companies will have this "sharing" foisted upon them by dangerously terrible legislation.

But until it reaches that point, the NSA will keep claiming it's under-equipped to handle the modern world. And it will continue to make the very dubious claim that the best defense is an unrestrained offense.

from the a-legislator-can-dream,-can't-he? dept

Since the Snowden leaks began, there have been several efforts made -- legislative and administrative -- in response to the exposure of the NSA's domestic surveillance programs. Some have been real fixes. Some have been fake fixes. Others have targeted the thing the NSA desires even more than seemingly limitless access to data from all over the world: funding.

The bill would completely repeal the Patriot Act, the sweeping national security law passed in the days after Sept. 11, 2001, as well as the 2008 FISA Amendments Act, another spying law that the NSA has used to justify collecting vast swaths of people's communications through the Internet.

If anything's due for a complete revamp, if not a complete repeal, it's the Patriot Act. It wasn't even good legislation back when it was passed. At best, it was "timely," which is a term that gives the rushed, secretive, knee-jerk legislation far more credit than it deserves. Pocan and Massie's (the latter of which has just introduced a new phone-unlocking bill with Rep. Zoe Lofgren to replace the bad one passed by the House in 2014) "Surveillance State Repeal Act" doesn't waste any time "tinkering around the edges."

Not only would the bill repeal the law, it would reset anything (amendments/additional government powers) brought into force by the Patriot Act and the FISA Amendments Act of 2008. On top of that, it would demand the immediate deletion of tons of data from the NSA's collections.

DESTRUCTION OF CERTAIN INFORMATION.—The Director of National Intelligence and the Attorney General shall destroy any information collected under the USA PATRIOT Act (Public Law 107-56) and the amendments made by such Act, as in effect the day before the date of the enactment of this Act, concerning a United States person that is not related to an investigation that is actively ongoing on such date.

The bill, oddly, also describes a path towards FISA Judge For Life positions.

TERMS; REAPPOINTMENT.—Section 103(d) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(d)) is amended— (1) by striking ‘‘maximum of seven’’ and inserting ‘‘maximum of ten’’; and (2) by striking ‘‘and shall not be eligible for re-designation’’.

Which is fine (not really) if you like the judges already appointed. But this is the sort of thing that leads to the permanent appointment of judges favored by either side of the surveillance question. And so far, presidential administrations have come down in favor of domestic surveillance. Removing the term limits just encourages the appointment of permanent NSA rubber stamps.

The bill creates a warrant requirement for the acquisition of US persons' data under the FISA Amendments Act and Executive Order 12333. It also expressly forbids a government mandate for encryption backdoors, although the first sentence of this section seems to be a rather large loophole.

Notwithstanding any other provision of law, the Federal Government shall not mandate that the manufacturer of an electronic device or software for an electronic device build into such device or software a mechanism that allows the Federal Government to bypass the encryption or privacy technology of such device or software.

If this bill somehow manages to pass a round or two of scrutiny, language tweaks will certainly be requested -- possibly leading to a complete subversion of the bill's intent. But that's a huge "if." Very few legislators have the stomach to gut the Patriot Act or the FISA Amendments Act. Many will be happy to entertain smaller fixes, but most won't be willing to essentially strip the NSA of its domestic surveillance powers. No one wants to be the "yea" vote that's pointed to in the wake of a terrorist attack and only a few more are actually willing to go head-to-head with the intelligence agency.

from the your-expired-laws-have-no-power-here dept

The NSA's bulk phone metadata program is unstoppable. Despite being called out by legislators and the administration's civil liberties oversight board as unconstitutional and illegal -- and despite being targeted by several of the administration's surveillance reforms -- it continues uninterrupted and largely unchanged.

Legislators who watched their Section 215-targeting bills die on the Congressional floor are now watching the clock. This part of the PATRIOT Act is set to expire June 1st (as is the latest bulk metadata order) and if Congress doesn't act to renew it, the program will grind to a halt. Or so you would think. But the FISA judge James Boasberg doesn't see why this provision's sunset should have any negative effect on the continued collection of phone metadata.

If Congress, conversely, has not enacted legislation amending § 1861 or extending its sunset date established by Section 102(b) of Public Law 109-177, 120 Stat. 195, as most recently amended by Section 2(a) of Public Law 112-14, 125 Stat. 216, the government is directed to provide a legal memorandum pursuant to Rule 11(d) addressing the power of the Court to grant such authority beyond June 1, 2015.

It's Public Law 109-177 that's aiding the effortless reauthorization. Charlie Savage of the New York Times noted this possibility last year. There's an exception in place that allows authorized surveillance programs to continue even after their authorizations have lapsed.

(2) Exception.–With respect to any particular foreign intelligence investigation that began before the date on which the provisions referred to in paragraph (1) cease to have effect, or with respect to any particular offense or potential offense that began or occurred before the date on which such provisions cease to have effect, such provisions shall continue in effect.

This could provide for endless bulk surveillance under Section 215, even without renewal of the program. Or it could just be the FISA judge signaling conversations the general public isn't privy to, as Marcy Wheeler points out.

That basically says the Court is aware of this discussion, either because it reads the NYT or because the government has mentioned it. This order doesn’t tip a hand on how FISC would regard this claim, but it does make clear it considers it a distinct possibility.

Note, unless I’m missing something, no language like this appears in any of the unredacted sections of previous dragnet orders, not even when Congress was giving the government straight renewals. We can’t be sure, but that certainly seems to suggest the Court has been having conversations — either by itself or with the government — about alternatives in a way Bob Litt and others are not having publicly.

Even if the court chooses to read the PATRIOT Act as killing Section 215 when it sunsets, this likely won't end the collection of phone metadata. The government still has other options.

Many privacy advocates believe the White House would have two routes available if it chose to continue the program, absent congressional action. Along with potentially being able to continue investigations that are ongoing despite an expiration, the administration could also rely on a "pen/trap" statute, which allows for phone tapping and has a loose standard of relevancy, akin to Section 215, and typically does not require probable cause.

This option would require a bit more paperwork and slightly refined targeting of court-approved numbers. It would, at least temporarily, halt the incoming collection of everything and force the NSA to relinquish control of the database. A PR/TT order wouldn't allow for collection in bulk, but rather return records linked to certain numbers from telcos searching their own databases. So, it would be a step forward in terms of Section 215 reform (moving the database out of the NSA's control), however inadvertently.

Others believe the language in the latest FISA order signifies nothing in particular.

Stewart Baker, a former general counsel at the NSA, said it's possible the surveillance court could use the leeway to grant a "one-off measure" in May to keep the bulk-records program going only through June. He noted that Boasberg's order requests that a memorandum from the government be filed not by June 1 but by May 22, a notable deadline, given that "most observers expect that Congress will only act at the last minute."

"The much harder question is whether it could issue any orders in June," Baker said. "There's an argument that it can, but I suspect that the administration won't be willing to make that argument."

Section 215 might expire, but the door is open for the NSA to continue its collecting uninterrupted. Things may become much more interesting in late May as the clock winds down. Perhaps Congress will have the courage to just let this section of the PATRIOT Act die, but it will have to weather plenty of "terrorists... terrorists everywhere!" posturing from Section 215's defenderss. If nothing else, an expiration would force the reforms the NSA has shown little interest in implementing.

from the largely-symbolic,-still-significant dept

However much the US government might hope otherwise, there is still widespread concern in Europe about the activities of the NSA and its Five Eyes friends. Here's the latest proof of that: a joint motion signed by all political parties in the Austrian parliament, against illegal surveillance (via Netzpolitik). The Parliament's own summary of what the motion contained reads as follows (original in German):

The recent revelations of the US whistleblower Edward Snowden have now acted as a call to action for the six parliamentary groups. In a resolution introduced jointly, they express their support for tackling seriously the illegal spying by the US foreign intelligence NSA, its British counterpart GCHQ and other foreign intelligence services. In their opinion, the [Austrian] government should exhaust all available diplomatic options, and diligently pursue violations of the Austrian Criminal Code. In addition, the MPs urge taking steps at the European level to promote the technological independence of Europe in the field of information and communication technology.

In the justification for the motion, reference was made to the recently-discovered "cyberbug", presumably attributable to the NSA. With this new malware, which cannot be detected by anti-virus software, and can even survive wiping the hard disk undamaged, it is possible for encryption to be circumvented, for example. The Members find equally worrying the theft of millions of electronic encryption keys from the Dutch SIM card producer Gemalto.

Although the motion in itself is unlikely to achieve much, it's a clear indication of continuing anger among European politicians at the activities of the NSA and GCHQ in spying on innocent members of the public, and undermining key elements of telecommunications infrastructure. If nothing else, it's a timely reminder that there are plenty of unresolved issues here, and that they are likely to have serious ramifications on US-EU relations in the future, not least in areas like Safe Harbor and TAFTA/TTIP.

from the 1324-Middle-Finger-Extended-Blvd. dept

Cisco became an inadvertent (and very unwilling) co-star in the NSA Antics: Snowden Edition when its logo was splashed across the web by a leaked document detailing the agency's interception of outbound US networking hardware in order to insert surveillance backdoors.

Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says.

The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers…

"We ship [boxes] to an address that's has nothing to do with the customer, and then you have no idea who ultimately it is going to," Stewart says.

"When customers are truly worried ... it causes other issues to make [interception] more difficult in that [agencies] don't quite know where that router is going so its very hard to target - you'd have to target all of them. There is always going to be inherent risk."

Stewart acknowledges that Cisco's modified dead drop shipping operations aren't foolproof, but will at least force the agency to do a little more research before intercepting packages. Stewart also noted that some customers aren't taking any chances, opting to pick up their hardware from Cisco directly.

There are also variables Cisco simply can't control, like the possibility of inbound components from upline manufacturers arriving pre-compromised. But it's doing what it can to ensure that "Cisco" isn't synonymous with "spyware."

Then there's always the possibility that the government may find Cisco's new routing methods to be quasi-fraudulent and force the company to plainly state where each package is actually going. No response has been issued by the ODNI or NSA to this news, and most likely, none will be forthcoming. Any statement on Cisco's fictitious routing would tip its hand.

Cisco's plan makes a lot of assumptions about the NSA's capabilities, most of which aren't particularly sound, but this seems to be more a public display of pique than a surefire way to eliminate most of the NSA's hardware interceptions. It also sends a message to the NSA, one it's been hearing more and more of over the last couple of years: the nation's tech companies aren't your buddies and they're more than a little tired of being unwilling partners in worldwide surveillance.

from the until-you-can-answer-that... dept

Last week, the Senate Intelligence Committee voted (in secret, of course) to approve a new cybersecurity bill, dubbed CISA (as it was in the last Congress), though it kept the content of the actual bill secret until this week. The only Senator who voted against it was... Senator Wyden, of course, who rightly pointed out that this bill is "not a cybersecurity bill – it’s a surveillance bill by another name."

Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called "defensive measures" in the bill) for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system.

Even with the changed language, it's still unclear what restrictions exist on "defensive measures." Since the definition of "information system" is inclusive of files and software, can a company that has a file stolen from them launch "defensive measures" against the thief's computer? What's worse, the bill may allow such actions as long as they don't cause "substantial" harm. The bill leaves the term "substantial" undefined. If true, the countermeasures "defensive measures" clause could increasingly encourage computer exfiltration attacks on the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user.

Second, the bill adds a new authority for companies to monitor information systems to protect an entity's hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.

Also, the bill goes away from previous cybersecurity bills that put Homeland Security in charge (which, by itself, isn't great, but DHS is the best option if you're debating between DHS, the NSA and the FBI). While the information still goes to DHS under this bill, DHS doesn't then get to parse through it and figure out where it goes. Instead, the info needs to be shared "in real time" with the NSA. All of which just gives weight to the fact that this is a surveillance bill, not a bill to protect against "cybersecurity attacks."

But if you want to know the single biggest reason why this bill is bogus: ask those supporting it what cybersecurity attack this bill would have stopped. And you'll notice they don't have an answer. That's because it's not a cybersecurity bill at all. It's just a bill to try to give the government more access to your user info.

from the also:-screw-the-CIA dept

In a few months, we'll be marking the second anniversary of the first Snowden leak. The outraged responses of citizens and politicians around the world to these revelations has resulted in approximately nothing in those 24 months. There have been bright spots here and there -- where governments and their intelligence agencies were painted into corners by multiple leaks and forced to respond -- but overall, the supposed debate on the balance between security and privacy has been largely ignored by those on Team National Security.

Here in the US, multiple surveillance reforms were promised. So far, very little has been put into practice. The NSA may be forced to seek court approval for searches of its bulk phone metadata, but otherwise the program rolls on unimpaired and slightly rebranded (from Section 215 to Section 501).

Wyden bluntly warned that even after the NSA scandal that started with Edward Snowden’s disclosures, the Obama administration has continued programs to monitor the activities of American citizens in ways that the public is unaware of and that could be giving government officials intimate details of citizens’ lives.

Asked if intelligence agencies have domestic surveillance programs of which the public is still unaware, Wyden said simply, “Yeah, there’s plenty of stuff.

One place there's definite regression -- at least in terms of attitude, if not results -- is the push to give intelligence and law enforcement agencies "keys" to encrypted communications, whether in the form of unicorns"golden keys" or pre-installed backdoors in hardware and software. Wyden recognizes the dangers inherent to these demands -- the ones these agencies won't admit exist.

“I’m going to fight that with everything I’ve got … Once the good guys have the keys, the bad guys have the keys and this is going to be incredibly damaging to innovation,” Wyden said.

Wyden blames the current intelligence reform stasis on two key figures, as well as the administration that bends over backwards to oblige them.

Wyden made clear he has little faith serious changes will be made so long as the current leaders of the intelligence community, like Clapper and CIA Director John Brennan, retain their jobs. “The ways this works is, these are individuals who serve at the pleasure of the president … [and] the president wants them there.”

“All of these officials … work for the president of the United States, so you can ask him about it. But I don’t have confidence in [CIA Director] Brennan,” Wyden added bluntly.

No reason why he should. As he points out earlier in the interview, the hacker-esque actions the CIA deployed against Senate staffers during the crafting of the Torture Report would get an ordinary person thrown in jail.

The intelligence community may be avoiding any serious reforms thanks to an all-too-gracious administration, but they haven't found a way to shake Wyden -- someone who knows that not receiving an answer to a pointed question can sometimes be as powerful as wrestling admissions from tight-lipped surveillance defenders.

from the what-repercussions? dept

Before there was Edward Snowden, there was of course the notably less celebrated Mark Klein. As most of you probably recall, Klein, a 22-year AT&T employee, became a whistleblower after he highlighted (pdf) how AT&T was effectively using fiber splits to give the NSA duplicate access to every shred of data that touched AT&T's network. Of course, once it was discovered that AT&T was breaking the law, the government decided to just change the law, ignore Klein's testimony, and give all phone companies retroactive immunity. It really wasn't until Snowden that the majority of the tech press took Klein's warnings seriously.

AT&T's been loyally "patriotic" ever since, often giving the government advice on how to skirt the law or at times even acting as intelligence analysts. Business repercussions for AT&T have been minimal at best; in fact, you'll recall that Qwest (now CenturyLink) claimed repeatedly that government cooperation was rewarded with lucrative contracts, while refusal to participate in government programs was punished. In fact, the only snag AT&T's seen in the years since was to have its European expansion plans thwarted, purportedly by regulators uncomfortable with the carrier's cozy NSA ties (AT&T instead simply expanded into Mexico).

Fast forward a few years and The Hill is now claiming that AT&T's relationship with the NSA could harm the company's $48 billion attempt to acquire DirecTV. This claim is apparently based on the fact that a coalition of AT&T business partners, called the Minority Cellular Partners Coalition, is warning the FCC in a letter (pdf) that AT&T's enthusiastic voluntary cooperation with the NSA shows the company's total disregard for consumer privacy.

"(Despite immunity) the Commission is still obliged to execute and enforce the provisions of § 229 of the Act, see 47 U.S.C. § 151, and it is still empowered to conduct an investigation to insure that AT&T complies with the requirements of CALEA. See id. § 229(c). And the Commission is obliged to determine whether AT&T is qualified to obtain DIRECTV’s licenses in light of its egregious violations of CALEA. This is particularly true given AT&T’s continued and ongoing pattern of misconduct. Accordingly, the Commission should investigate AT&T’s complicity in the PSP to determine whether AT&T engaged in unlawful conduct that abridged the privacy interests of telecommunications consumers on a vast scale and, if so, whether AT&T is qualified to obtain DIRECTV’s licenses."

Of course, that's simply not happening. While the NSA cooperation can be used as a broader example of AT&T's character (like the repeatedly nonsensical claims the company makes when it wants a merger approved, or how AT&T tries to charge its broadband customers extra for no deep packet inspection), it's incredibly unlikely that the same government that granted AT&T's immunity will turn around and sign off on using AT&T's behavior to squash a merger. If the merger is blocked, it will be due to more practical considerations -- like the fact that DirecTV is a direct competitor to AT&T and eliminating them would lessen competition in the pay TV space. When it comes to AT&T's relationship with the NSA, it's pretty clear by now that these particular chickens may never come home to roost.

from the start-the-parsing dept

Back in the summer of 2013 as the various "Five Eyes" countries were still reeling from the initial Snowden disclosures, New Zealand's Prime Minister John Key promised to resign if it was ever proven that the GCSB (New Zealand's equivalent to the NSA) had engaged in mass surveillance of New Zealanders -- but with some caveats. He later said that he meant if it was proven that there was illegal surveillance going on. But of course, what's legal can vary based on who's in charge. Either way, late last year there were Snowden documents that proved GCSB regularly scooped up data on New Zealanders, and Key reacted to it by calling Glenn Greenwald "a loser." Not quite the resignation you might have expected.

"The whole method of surveillance these days, is sort of a mass collection situation – individualized: that is mission impossible.”

And, later:

"You cannot these days just individually select people ... you put out a big net, catch stuff, you throw out the stuff you don't want ... and you keep the stuff you do want."

In other words, the GCSB does mass surveillance. So what is Prime Minister John Key now saying about this? Well, first, he will no longer promise that mass surveillance isn't taking place, because of course he can't. Furthermore, he now says that even if mass surveillance is shown he won't resign.

Interviewer: “Nicky Hager’s revelations late last week . . . have stoked fears that New Zealanders’ communications are being indiscriminately caught in that net. . . . The Prime Minister, John Key, has in the past promised to resign if it were found to be mass surveillance of New Zealanders . . . Earlier, Mr. Key was unable to give me an assurance that mass collection of communications from New Zealanders in the Pacific was not taking place.”

PM Key: “No, I can’t. I read the transcript [of former GCSB Director Bruce Ferguson’s interview] – I didn’t hear the interview – but I read the transcript, and you know, look, there’s a variety of interpretations – I’m not going to critique–”

Interviewer: “OK, I’m not asking for a critique. Let’s listen to what Bruce Ferguson did tell us on Friday:”

Ferguson: “The whole method of surveillance these days, is sort of a mass collection situation – individualized: that is mission impossible.”

Interviewer: “And he repeated that several times, using the analogy of a net which scoops up all the information. . . . I’m not asking for a critique with respect to him. Can you confirm whether he is right or wrong?”

Key: “Uh, well I’m not going to go and critique the guy. And I’m not going to give a view of whether he’s right or wrong” . . . .

Interviewer: “So is there mass collection of personal data of New Zealand citizens in the Pacific or not?”

Key: “I’m just not going to comment on where we have particular targets, except to say that where we go and collect particular information, there is always a good reason for that.”

from the boom dept

This is big news. Wikimedia Foundation, the organization behind Wikipedia, has announced that it is suing the NSA (with help from the ACLU) over its mass surveillance program. While the full lawsuit hasn't yet been posted, the lawsuit targets the "upstream" collection under Section 702 of the FISA Amendments Act. Because this gets confusing if you're not spending a lot of time with this, let's break out some of the different surveillance programs:

Section 215 of the PATRIOT Act: Under this program the NSA is collecting all the phone metadata on calls in the US.

Executive Order 12333: This is what enables the NSA to hack into pretty much anything overseas -- including things like Google, Yahoo and Microsoft's data centers.

PRISM: Actually part of Section 702 of the FISA Amendments Act. Allows for (slightly) targeted collections of information via a court order from the FISA Court, demanding specific types of information (rather than "all" information).

Upstream collection: Also under Section 702, but this is the program that lets the NSA tap into backbone fiber optic cables, such as from AT&T and others, and slurp up all traffic in case there's anything "interesting" happening that it can classify as "foreign intelligence information."

It's the upstream collection that Wikimedia is challenging in this lawsuit, arguing (among other things) that it violates both the First and Fourth Amendments.

That upstream program is the one that was first disclosed by Mark Klein, a former AT&T technician who wandered into the EFF's offices a decade ago with the evidence. This resulted in a lawsuit -- Hepting v. AT&T -- that AT&T was able to get out of thanks to Congress passing a law granting the telcos retroactive immunity for helping the NSA. The EFF has a long-running similar case against the NSA over the upstream collection -- Jewel v. NSA -- which recently suffered a setback, in that the judges claimed there wasn't evidence for "standing." That is, the plaintiffs need to be able to prove that they were spied on -- which is a fairly tough barrier.

Another case that was filed on similar grounds, by Amnesty International (also with the ACLU), also lost at the Supreme Court on the question of "standing." However, as it later came out, that victory was based mostly on a false statement from Solicitor General Donald Verrilli, who had argued that if the US government made use of any of the upstream collection data in a lawsuit against someone, the government would need to reveal it to the defendants, who would then have standing to challenge it. Only later -- thanks to a Senate speech from Senator Dianne Feinstein -- did it come out that the DOJ regularly made use of information collected this way without ever alerting the defendants about how the information was collected.

Wikimedia thinks that it has a chance to get past this "standing" hurdle, thanks to the following NSA slide that was leaked in the Ed Snowden revelations:

See that big Wikipedia logo? That seems to be the NSA admitting that it's spying on Wikipedia users.

The 2013 mass surveillance disclosures included a slide from a classified NSA presentation that made explicit reference to Wikipedia, using our global trademark. Because these disclosures revealed that the government specifically targeted Wikipedia and its users, we believe we have more than sufficient evidence to establish standing.

The harm to Wikimedia and the hundreds of millions of people who visit our websites is clear: Pervasive surveillance has a chilling effect. It stifles freedom of expression and the free exchange of knowledge that Wikimedia was designed to enable.

During the 2011 Arab uprisings, Wikipedia users collaborated to create articles that helped educate the world about what was happening. Continuing cooperation between American and Egyptian intelligence services is well established; the director of Egypt’s main spy agency under President Abdel Fattah el-Sisi boasted in 2013 that he was “in constant contact” with the Central Intelligence Agency.

So imagine, now, a Wikipedia user in Egypt who wants to edit a page about government opposition or discuss it with fellow editors. If that user knows the N.S.A. is routinely combing through her contributions to Wikipedia, and possibly sharing information with her government, she will surely be less likely to add her knowledge or have that conversation, for fear of reprisal.

And then imagine this decision playing out in the minds of thousands of would-be contributors in other countries. That represents a loss for everyone who uses Wikipedia and the Internet — not just fellow editors, but hundreds of millions of readers in the United States and around the world.

Given how much difficulty other cases have had in establishing standing, it appears that this may still be a challenge here. However, the fact that the US government effectively misled the Supreme Court last time around at least suggests that maybe it will be open to revisiting the issue this time around.

Kudos to Wikimedia for stepping up to the challenge, and to the ACLU for not giving up on this issue.